Krebs on Security

In-depth security news and investigation

Emergency Fix for Windows Anti-Malware Flaw Leads May’s Patch Tuesday

Adobe and Microsoft both issued updates today to fix critical security vulnerabilities in their software. Microsoft actually released an emergency update on Monday just hours ahead of today’s regularly scheduled “Patch Tuesday” (the 2nd Tuesday of each month) to fix a dangerous flaw present in most of Microsoft’s anti-malware technology that’s being called the worst Windows bug in recent memory. Separately, Adobe has a new version of its Flash Player software available that squashes at least seven nasty bugs.

Last week, Google security researchers Natalie Silvanovich and Tavis Ormandy reported to Microsoft a flaw in its Malware Protection Engine, a technology that exists in most of Redmond’s malware protection offerings — including Microsoft Forefront, Microsoft Security Essentials and Windows Defender.Rather than worry about their malicious software making it past Microsoft’s anti-malware technology, attackers could simply exploit this flaw to run their malware automatically once their suspicious file is scanned.

“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine,” Microsoft warned. “If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned.”

On May 8, Microsoft released an out-of-band fix for the problem, demonstrating unusual swiftness in addressing a serious issue with its software.

In addition to the anti-malware product update, Microsoft today released fixes for dangerous security flaws in a range of products, from Internet Explorer and Edge to Windows, Microsoft Office, .NET, and of course Adobe Flash Player.

The latest Flash Player, v. 25.0.0.171 for Windows, Mac, Linux and Chrome OS, is available from this link. Adobe’s advisory for this update is here. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware, and failing to keep up with its continuous security updates can leave users dangerously exposed. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.

If you choose to keep Flash, please update it today. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

“Last week, Google security researchers Natalie Silvanovich and Tavis Ormandy reported to Microsoft a flaw in its Malware Protection Engine, a technology that exists in most of Redmond’s malware protection offerings…”

Thanks for that. For my main work machine the March update was a toxic update, bluescreen-reboot loop when it’s applied (so I’m getting that Windows 10 toxic-update experience even though I’m not on Windows 10), and thanks to Microsoft turning all updates into one giant blob there’s no way to avoid the toxic portion. This meant I’d never be able to update again, because I’d always get the toxic portion that killed my system. Being able to grab just the security updates at least means I can stay partly patched.

after install the System process thread count would keep rising through the day from 200 to 15,000+ threads and crash the server. It didn’t rear its head until i installed the April updates, then I had to go back and remove both months of security updates… it puts you in a hard place when MS is incompetent and you can’t rely on the updates not breaking X, Y, Z… but if you don’t install them they can come back and bite you other ways…

I think that it will qualify as actual “news” when and if a week ever goes by *without* any new critical security bugs being discovered and/or patched in Adobe Flash Player.

After years of trying to keep up with the constant non-optional security updates to this deeply flawed product, one cannot help but wonder if Adobe has a set of untrained (and underpaid) chimpanzees developing and maintaining this product.

The next question to ask is: Why is anyone continuing to deploy Adobe Flash on the systems they use, or in the solutions they are creating?
If a product is flawed to the point of being dangerous, we should stop using it no matter how aesthetically pleasing it may seem.

Remember, all Flash truly provides is an efficient web delivery platform for visual presentation of information or entertainment content. Their continued existence is purely based on “first-to-market” dominance.

Analogy: Steel Lawn Darts. An enjoyable lawn toy that was on the market for years, but too dangerous to make or sell anymore.

Some applications require flash to work. I know of a CCTV/video monitoring application, as well as a payroll application that are built in flash. These are commercially developed and supported products. I’m sure there are plenty of others.

For some sysadmins, it’s a business decision that they are not involved in, but must install/maintain/support.

Neither of my Windows 7 systems were offered the update for Internet Explorer 11 (KB4018271). One of them was however offered KB3008923 which was an update for Internet Explorer released in January 2015.

Am I correct in believing that Internet Explorer updates are not now included in the big roll-up?

My version of IE — Version 11.296.15063.0 (updated version 11.0.42 KB4018271) — did fully update, but I am running one of the newer versions of Windows 10. Because of your OS version you may have encountered a situation where you need to manually upgrade your version of Internet Explorer 11 on each of your machines.

Everything installed without difficulty in the background yesterday. I am finding that my version of Windows only downloads the portion of fixes that are required, making most patches and fixes much swifter than with the earlier builds I ran. I did manually apply Adobe fixes to my edition of Firefox, which is set to always ask for permission to open any Flash application encountered. If I am required to use Flash, I prefer to use Edge for that encounter. Other than that I generally use Firefox for my general use. If “FVD Speed Dial” ever becomes available on Edge I would probably fully migrate to use of Edge as my browser.

Brain, Just a quick comment about Microsoft’s out-of-band fix for their antimalware engine.

Microsoft should not be overly credited for their quick turnaround time. Although I applaud the short turn around time period itself, Microsoft integrates engines updates into their definition updates. The big plus for Microsoft is that they could release an antimalware engine update and instead of going through the normal “Microsoft Updates” process, the engine was updated with the normal antimalware definitions.

I applaud the turn around time; however, what I am saying is that Microsoft should not been given too much credit, since their update procedure was a simple fix on their end and an even easier installation for the users.

Brian, I am also fairly certain the only way to update flash on Chrome OS is through the integrated Chrome OS updater. I have look for any way to manually force an update, but have yet to find any, other than waiting for Google to release an update integrated into the Chrome OS itself.

That’s correct. Chrome updates Flash through the browser automagically, but you may still have to restart the browser for the updates to be in place. If you notice an orange or red arrow within a circle next to the three dots to the right of the URL/address bar, it’s a sign that an update for Chrome is available for install. Click it and choose restart the browser.

Btw, this information was included in the last paragraph of the story:

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

Does this update cause IE to not recognize Chrome? When I open Google on IE, it gives the “Get Chrome” header at the top, and it wants me to update my default search engine to Google, which is the only SE I have in IE. Thanks!